Skip to content

Commit 3c1b2ea

Browse files
maxvpmaycmlee
andauthored
[DOCS-4707] Fix ACL and logrotate guidance for rotating logs (#37711)
* [DOCS-4707] Fix ACL recursion and logrotate guidance for rotating logs - Use recursive setfacl (-R) so existing log files get access, not just the directory - Document default ACLs (-d) so newly rotated files inherit dd-agent access - Explain the duplicate log entry error and how to avoid it - Fix misleading link text and standardize on the dd-agent user ACL * [DOCS-4707] Apply editorial review fixes - Standardize on dd-agent username throughout - Use exact logrotate error string - Move 'however' to front of sentence - Upgrade ACL reference link to https * [DOCS-4707] Fix subject-verb agreement and remove unsanctioned italics - 'ACLs need to be enabled' (plural subject) - Remove italics from 'default' (italics reserved for product names) * [DOCS-4707] Remove meta references to other sections * Apply suggestions from code review Co-authored-by: May Lee <may.lee@datadoghq.com> --------- Co-authored-by: May Lee <may.lee@datadoghq.com>
1 parent 9042b1c commit 3c1b2ea

1 file changed

Lines changed: 20 additions & 10 deletions

File tree

content/en/logs/guide/setting-file-permissions-for-rotating-logs.md

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -19,11 +19,11 @@ The Datadog Agent runs under the `dd-agent` user and `dd-agent` group. This prev
1919

2020
## Setting permissions using ACLs
2121

22-
In order to allow read-only access for `datadog-agent` only, [create ACLs and modify logrotate to persist the permissions changes][1].
22+
To allow read-only access for the `dd-agent` user, create [access control lists (ACLs)][1] and modify logrotate to persist the permission changes.
2323

2424
### Verifying ACLs are enabled on your system
2525

26-
[ACLs needs to be enabled][2] on your file system to set permissions using the methods outlined in this article. Verify ACLs are enabled by using the`getfacl` and `setfacl` commands to set permissions for the `datadog-agent` user on a test directory, for example:
26+
[ACLs need to be enabled][2] on your file system to set permissions using the methods outlined in this article. Verify ACLs are enabled by using the`getfacl` and `setfacl` commands to set permissions for the `dd-agent` user on a test directory, for example:
2727

2828
```shell
2929
mkdir /var/log/test-dir
@@ -32,23 +32,33 @@ setfacl -m u:dd-agent:rx /var/log/test-dir
3232
getfacl /var/log/test-dir/
3333
```
3434

35-
The permissions set for `datadog-agent` appears in the output of getfacl if ACLs are enabled.
35+
The permissions set for `dd-agent` appears in the output of getfacl if ACLs are enabled.
3636

3737
{{< img src="logs/faq/setting_file_permission.png" alt="Setting file permission" >}}
3838

3939
### Granting dd-agent read and execute permissions on log directories
4040

41-
Once you have verified ACLs are enabled, grant read and execute permissions for the `datadog-agent` user on the appropriate directories for log collection. For example, to grant access to `/var/log/apache` , run:
41+
After you verify ACLs are enabled, grant read and execute permissions for the `dd-agent` user on the appropriate directories for log collection. A plain `setfacl -m` command applies the ACL only to the directory itself, not to the log files already inside it. Use the `-R` (recursive) flag to also grant access to existing files. For example, to grant access to `/var/log/apache`, run:
4242

4343
```shell
44-
setfacl -m u:dd-agent:rx /var/log/apache
44+
setfacl -R -m u:dd-agent:rx /var/log/apache
4545
```
4646

47-
[Learn more about how to configure ACLs on linux][3]
47+
To have new log files inherit this access automatically, set a default ACL on the directory with the `-d` flag:
48+
49+
```shell
50+
setfacl -R -d -m u:dd-agent:rx /var/log/apache
51+
```
52+
53+
A default ACL only applies to files created in the directory after the default has been set, including those that log rotation creates. This reduces the need for a separate logrotate rule. Files that already exist when you set the default ACL are unaffected, so run both commands above.
54+
55+
[Learn more about how to configure ACLs on Linux][3]
4856

4957
### Setting permissions for log file rotation
5058

51-
Setting the permissions once will not persist for rotating logs, as logrotate does not re-apply the ACL setting. For a more permanent solution add a rule to logrotate to reset the ACL in a new file:
59+
If you set a default ACL with the `-d` flag, log files created by a rotation inherit `dd-agent` access automatically, and no further configuration is required. However, a default ACL does not cover every rotation scheme. For example, a configuration that uses `copytruncate` keeps the original file (and its ACL) in place rather than creating a new file.
60+
61+
When a default ACL does not apply to your setup, add a rule to logrotate to reset the ACL after each rotation. Avoid defining a rule for log files that another logrotate configuration already manages, because logrotate reports an `error: duplicate log entry for <FILE>` message when two configurations match the same file. Instead, add a `postrotate` script to the service's existing configuration, or create a separate file for paths that are not already managed:
5262

5363
```shell
5464
sudo touch /etc/logrotate.d/dd-agent_ACLs
@@ -59,8 +69,8 @@ Example file:
5969
```text
6070
/var/log/apache/*.log {
6171
postrotate
62-
/usr/bin/setfacl -m g:dd-agent:rx /var/log/apache/access.log
63-
/usr/bin/setfacl -m g:dd-agent:rx /var/log/apache/error.log
72+
/usr/bin/setfacl -m u:dd-agent:rx /var/log/apache/access.log
73+
/usr/bin/setfacl -m u:dd-agent:rx /var/log/apache/error.log
6474
endscript
6575
}
6676
```
@@ -114,4 +124,4 @@ Each common off-the-shelf application will follow a similar nomenclature. The ad
114124

115125
[1]: https://help.ubuntu.com/community/FilePermissionsACLs
116126
[2]: https://www.tecmint.com/secure-files-using-acls-in-linux
117-
[3]: http://xmodulo.com/configure-access-control-lists-acls-linux.html
127+
[3]: https://www.xmodulo.com/configure-access-control-lists-acls-linux.html

0 commit comments

Comments
 (0)